White House abolishes decade-old cookies ban

Agencies will be barred from tracking a visitor's activity on nongovernment sites and from sharing the data it collects without gaining users' permission first.

As expected, White House officials on Friday rolled back a 10-year-old prohibition on web-tracking devices called cookies, a policy that online experts said prevented agencies from personalizing online services to engage the public.

For nearly a year, the Office of Management and Budget had been consulting with privacy advocates and agencies to update the policy in a way that would bring government sites into the 21st century, where people are accustomed to navigating commercial websites that rely on cookies, but also protect visitors' privacy. The ban initially was instituted to uphold civil liberties. But many agencies found legal work-arounds to use the tools.

"Our view is that this is going on already and it has been for many years, and it's important that we set down a clear set of rules for the road so that agencies are confident they are doing it in . . . a way that really respects privacy," said Michael Fitzpatrick, associate administrator of OMB's Office of Information and Regulatory Affairs.

Cookies are small files deposited on Internet users' computers when they visit a website. They often store the Web pages a visitor regularly views and other preferences, as well as measure the site's traffic volume and visitor demographics.

Friday's policy takes pains to limit the collection of personally identifiable information that can be combined to discern an individual's name, such as the series of numbers that identify a user's computer, personal mailing addresses and e-mail addresses. Agencies can gather such information only if a user consents. In addition, agencies must give 30 days' notice to the public and seek citizens' input before moving ahead with the technology.

Websites will be barred from tracking a visitor's activity on nongovernment sites and from sharing with other agencies the data they collect without gaining the user's permission first. Agencies can cross-reference the information they collect with personally identifiable information to further analyze visitors' activity only with their explicit consent.

To finalize the new rules, White House officials met with privacy groups including the Electronic Privacy Information Center and the Center for Democracy and Technology, as well as federal chief information officers, agency Web managers and Web analytics companies.

In a related move, OMB added privacy stipulations to existing guidance on the use of other organizations' social media tools such as YouTube. "Agencies must go back and review their current relationship with third parties and bring them into compliance with this new guidance," Fitzpatrick said.

Many agencies use online community sites such as Facebook and YouTube to interact with citizens and involve them in policymaking. "What has been missing is a clear set of guidelines with respect to privacy protections when they engage in these practices," Fitzpatrick said.

Under the new rules, agencies partnering with a third-party website must review the other entity's privacy policy to determine whether it is appropriate for the agency, he said. The policy also requires agencies to conduct a privacy impact assessment that examines whether controls are in place to comply with federal privacy regulations. In addition, officials must update their agency's privacy policies to inform the public that third parties could be providing the agency with personally identifiable information.